bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-03-23 16:29:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
nixos/secrets/README.md
Bryan Ramos 1c0271bc2a removed yubikey
2026-03-15 11:22:09 -04:00

1.4 KiB
Raw Blame History

Secrets Management

secrets/
├── system/     # System-level secrets (WiFi, VPN, etc.)
└── user/       # User-level secrets (password-store, API keys, etc.)

Prerequisites

Age identity files are stored in src/user/config/keys/age/ and deployed automatically.

# For testing with a local key:
age-keygen > src/user/config/keys/age/local

# For Yubikey (see "Migrating to Yubikey" below):
age-plugin-yubikey --identity > src/user/config/keys/age/yubikey

# Add the public key to .sops.yaml in repo root

After rebuild, the identity is written to ~/.config/sops/age/keys.txt.

Adding Secrets

  1. Create or edit a YAML file:

    vim secrets/system/example.yaml

  2. Encrypt in place:

    sops -e -i secrets/system/example.yaml

  3. Reference in NixOS config:

    sops.secrets."SECRET_NAME" = {
  sopsFile = path/to/example.yaml;
};

Editing Secrets

# Opens decrypted in $EDITOR, re-encrypts on save
sops secrets/system/wifi.yaml

Viewing Secrets

# Decrypt to stdout
sops -d secrets/system/wifi.yaml

Removing Secrets

  1. Remove from NixOS config
  2. Delete the encrypted file or remove the key from it via sops

Re-keying (after adding/removing age keys)

# Update .sops.yaml with new keys, then:
sops updatekeys secrets/system/wifi.yaml